Change Auditor 7.5 - User Guide

EMC auditing templates

EMC auditing templates

NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Change Auditor User Guide.

To enable EMC auditing, create a template for each EMC file server (CIFS) to audit. Each template defines the location of the EMC file server to be audited, the auditing scope, and the agents to receive the events.

NOTE: There can be only one EMC Auditing template per EMC file server (CIFS). To audit multiple audit paths, use the same template to specify all the audit paths to be audited on the selected EMC file server.

 

NOTE: Auditing file contents written event on EMC Isilon: To audit the "File contents written" operations, you must audit "Close" operations on Isilon. To audit close operations, use isi zone zones modify command in the command line interface (CLI). For example: To audit a successful close operation for the 'System' zone run the following command: isi zone zones modify system --add-audit-success close. To review all currently audited operations for the System zone, use the following command: isi zone zones view system

To audit a file:

1	Select View | Administration.

2	Select Auditing.

3	Select EMC in the Auditing | NAS task list to open the EMC Auditing page.

4	Click Add.

This opens the EMC Auditing wizard, which steps you through the process of defining the EMC file server (CIFS) to be audited, the auditing scope, and the agents that are to receive the EMC events.

5	Enter the following information:

▪	EMC File Server (CIFS) - Select the EMC file server (CIFS) from the drop-down list. Or enter the Netbios name or IP address of the EMC file server (CIFS) to be audited.

NOTE: When creating a template for Isilon, you must use the FQDN. If you select the NetBios name or IP address, the template will not function.

▪	Audit Path - Select File. Enter a file name and path (i.e., <ShareName>\<Path>\<FileName>) to audit or click the browse button to locate and select a file. Click Add to move the specified audit path to the selection list.

NOTE: Isilon file server auditing When specifying a file path to audit, use the file’s absolute path. Path values in Isilon events captured by Change Auditor are also represented in absolute paths. For example, if a share called ‘MyTestShare’ is sharing the path ‘\\isilon\ifs\test’, and you want to audit the file MyDoc.docx inside that share, add the path ‘ifs\test\MyDoc.docx’ in the auditing template. Change Auditor uses the default ‘ifs’ share for Isilon file/folder permission change events. If you have renamed this share, specify the new share name to continue support for these events. To change the default ifs share name, click the "Isilion admin share name" link on the top right corner of the page. Volume auditing is not supported and should not be used. Select File or Folder as the Audit Path.

▪	Events tab - Select the file events to audit for the file selected in the selection list.

Repeat this step to add additional files to this auditing template.

NOTE: Selecting the File Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing this check box will clear all of the selected events.

6	Click Next.

7	On the second page of the wizard, select the agents used to connect to the EMC file server to capture the EMC events.

TIP: Specifying multiple agents may provide better performance because the EMC server will load balance audit events and send each assigned agent events round-robin style. However, the downside is that the ‘where’ field for EMC events may contain any one of these agents. Also, if EMC event logging is enabled, events will be written on multiple agent servers.

To add an agent to the EMC Auditing template:

▪	Click Add.

▪	Select one or more agents from the list and click OK.

If the agents that are to capture EMC events are not already specified in the cepp.conf file (pool namesakes servers entry), you will need to enter the credentials required to access the EMC Control Station.

NOTE: Isilon file server auditing: There is no need to enter the EMC Control Station credentials when configuring auditing on an Isilon server. Skip to Step 9.

Click Set Credentials and enter the following information:

▪	Control Station - enter the IP address of the EMC Control Station.

▪	User - enter the user name of an account with Administrative rights (required to create or modify the cepp.conf file) on the selected EMC Control Station.

▪	Password - enter the password associated with the user name entered above.

▪	Data Mover - select the data mover that hosts the CIFS file server specified on the first page of the wizard.

Click Test to validate the credentials. Once the credentials are validated, click OK to set the credentials as entered and close the dialog.

The cepp.conf file will be created based on the information specified in the EMC Auditing wizard. Click Next to view the current and proposed settings for the cepp.conf file.

8	On the last page of the wizard, review the proposed cepp.conf file, which is displayed in the bottom pane.

Use the buttons above the Current cepp.conf File text box, as described below:

▪	To deploy the proposed configuration file, click Update File.

▪	To check the current status of the cepp service, click Check Status.

▪

To audit the cepp.conf file checking for modifications made by another application, click Audit File. Select the Enable Auditing check box, review (and if necessary change) the polling interval, and select the Change Auditor agent to be used to poll this configuration file. Click OK to save your selections and close the dialog.

9	Click Finish to close the wizard and create the template.

10	On the Administration Tasks tab, click the Configuration task button. Select Agent to open the Agent Configuration page.

11	To ensure the agents are using the latest configuration, select the Change Auditor agents assigned to the EMC Auditing template (Auditing appears in the EMC column) and click Refresh Configuration.

To audit a folder:

NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.

1	Select View | Administration.

2	Select Auditing.

3	Select EMC in the Auditing | NAS task list to open the EMC Auditing page.

4	Click Add.

5	Enter the following information:

▪	EMC File Server (CIFS) - Select the EMC file server (CIFS) from the drop-down list. Or enter the Netbios name or IP address of the EMC file server (CIFS) to be audited.

▪	Audit Path - Select Folder. Enter a folder name and path (i.e., <ShareName>\<FolderName>) to audit or click the browse button to locate and select a folder.

NOTE: Isilon file server auditing: When specifying file and folder paths to be audited, the file or folder’s absolute path should be used. Path values in Isilon events captured by Change Auditor are also represented in absolute paths. For example, if a share called ‘MyTestShare’ is sharing the path ‘\\isilon\ifs\test’, add the path ‘ifs\test’ in the auditing template to audit changes through the share. Change Auditor uses the default ‘ifs’ share for Isilon file/folder permission change events. If you have renamed this share, please specify the new share name on this page to continue support for these events. To change the default ifs share name, click the "Isilion admin share name" link on the top right hand corner of the page.

Click Add to add the specified folder to the Selection list.

6	By default, the scope of coverage for the selected folder will be This object and all child objects. However, you can change the scope, by selecting a different option from the drop-down box in the scope cell of the selection list:

▪	This object only- select this option to audit only the selected folder, not its files or subfolders.

▪	This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive.

▪	This object and all child objects - select this option to audit this folder and all of its files and subfolders.

In addition, when the folder entry is selected in the Selection list, the tabs across the bottom of the page are activated. The settings specified on these tabs apply to the entry selected.

7	On the Events tab, select the file and folder events to be audited.

8	On the Inclusions tab, specify file masks to audit.

NOTE: Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events.

Enter a file mask to specify what is to be included in the audit. The file mask can contain any combination of the following:

▪	Fixed characters such as letters, numbers and other characters that are allowed in file names.

▪	Asterisk (*) wildcard character to substitute zero or more characters.

▪	Question mark (?) wildcard character to substitute a single character.

▪	A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).

NOTE: The slash (\) and double asterisk (**) characters can only be used with volumes.

For example, entering * will include all subfolders and files in the selected audit path.

You can also enter the name of an individual subfolder or file to be audited. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will not receive events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolders/files to be included, click the Add button to add it to the Inclusion list at the bottom of the page.

Repeat this step to add additional subfolders and files to the Inclusion list.

9	(Optional) On the Exclusions tab, specify the names and paths of any subfolders or files in the selected audit path that are to be excluded from auditing.

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:

▪	Fixed characters such as letters, numbers and other characters that are allowed in file names.

▪

Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).

▪	Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.

You can also enter the name of an individual subfolder or file to be excluded.

 

IMPORTANT: If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will NOT exclude it from auditing.

Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page:

▪	Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.

▪	Add | File - use this option to exclude activity against any files that match the exclusion string.

Repeat this step to add additional subfolders and files to the Exclusion list.

Click Next.

10	On the second page of the wizard, select the Change Auditor agents to be used to monitor the EMC file server.

▪	Click Add.

▪	On the Eligible Change Auditor Agents dialog, select one or more agents from the list and select OK.

If the Change Auditor agents that are to capture EMC events are not already specified in the cepp.conf file (pool name=quest servers entry), you will need to enter the credentials to be used to access the EMC Control Station.

NOTE: Isilon file server auditing: There is no need to enter the EMC Control Station credentials when configuring auditing on an Isilon server. Skip to Step 12.

Click the Set Credentials button and enter the following information:

▪	Control Station - enter the IP address of the EMC Control Station.

▪	User - enter the user name of an account with Administrative rights (rights to create or modify the cepp.conf file) on the selected EMC Control Station.

▪	Password - enter the password associated with the user name entered above.

▪	Data Mover - select the data mover that hosts the CIFS file server specified on the first page of the wizard.

Click Test to validate the credentials entered. Once the credentials are validated, select OK to set the credentials as entered and close the dialog.

The required cepp.conf file will be created based on the information specified in the EMC Auditing wizard. Click Next to view the current and proposed settings for the cepp.conf file.

11	On the last page of the wizard, review the proposed cepp.conf file, which is displayed in the bottom pane.

Use the buttons above the Current cepp.conf File text box, as described below:

▪	To deploy the proposed configuration file, click Update File.

▪	To check the current status of the cepp service, click Check Status.

▪

To audit the cepp.conf file checking for modifications made by another application, click Audit File. Select the Enable Auditing check box, review (and if necessary change) the polling interval, and select the Change Auditor agent to be used to poll this configuration file. Click OK to save your selections and close the dialog.

12	Click Finish to close the wizard and create the EMC Auditing template.

13	On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page.

14	Select the agents assigned to the EMC Auditing template (Auditing appears in the EMC column) and click Refresh Configuration to ensure the agents are using the latest configuration.

To audit a volume:

NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.

NOTE: Isilon file server auditing: Volume auditing is not support and should not be used.

1	Open the EMC Auditing Wizard. (Click Add or Edit on the EMC Auditing page.)

2	Enter the following information:

▪	EMC File Server (CIFS) - Select the EMC file server (CIFS) from the drop-down list. Or enter the Netbios name or IP address of the EMC file server (CIFS) to be audited.

▪	Audit Path - Select Volume. Enter a volume name (i.e., <VolumeName>) to be audited or click the browse button to locate and select a volume.

Click Add to add the specified volume to the Selection list.

NOTE: Volume names are case sensitive and must be entered correctly in the Audit Path field.

3	By default, the scope of coverage for the selected volume will be This object and all child objects, which cannot be changed.

Select the volume entry in the Selection list to activate the tabs across the bottom of the page. The settings specified on these tabs apply to the entry selected.

4	On the Events tab, select the file and folder events to be audited.

5	On the Inclusions tab, specify the file masks to audit.

NOTE: Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events.

Enter a file mask to specify what is to be included in the audit. The file mask can contain any combination of the following:

▪	Fixed characters such as letters, numbers and other characters that are allowed in file names.

▪	Asterisk (*) wildcard character to substitute zero or more characters.

▪	Question mark (?) wildcard character to substitute a single character.

▪	A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).

NOTE: The slash (\) and double asterisk (**) characters can only be used with volumes.

For example, entering * will include all subfolders and files in the selected audit path.

You can also enter the name of an individual subfolder or file to be audited. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will NOT receive events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolders/files to be included, click Add to add it to the Inclusion list at the bottom of the page.

Repeat this step to add additional subfolders and files to the Inclusion list.

6	(Optional) On the Exclusions tab, specify the names and paths of any subfolders or files in the selected audit path to be excluded from auditing.

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:

▪	Fixed characters such as letters, numbers and other characters that are allowed in file names.

▪

Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).

▪	Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.

You can also enter the name of an individual subfolder or file to be excluded.

Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page:

IMPORTANT: If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will not exclude it from auditing.

▪	Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.

▪	Add | File - use this option to exclude activity against any files that match the exclusion string.

Repeat this step to add additional subfolders and files to the Exclusion list.

Click Next.

7	On the second page of the wizard, select the Change Auditor agents to monitor the EMC file server.

▪	Click Add.

▪	On the Eligible Change Auditor Agents dialog, select one or more agents from the list and click OK.

If the Change Auditor agents that are to capture EMC events are not already specified in the cepp.conf file (pool name=quest servers entry), you’ll need to enter the credentials to be used to access the EMC Control Station.

Click Set Credentials and enter the following information:

▪	Control Station - enter the IP address of the EMC Control Station.

▪	User - enter the user name of an account with Administrative rights (rights to create or modify the cepp.conf file) on the selected EMC Control Station.

▪	Password - enter the password associated with the user name entered above.

▪	Data Mover - select the data mover that hosts the CIFS file server specified on the first page of the wizard.

Click Test to validate the credentials. Once the credentials are validated, click OK to set the credentials as entered and close the dialog.

The required cepp.conf file will be created based on the information specified in the EMC Auditing wizard. Click Next to view the current and proposed settings for the cepp.conf file.

8	On the last page of the wizard, review the proposed cepp.conf file, which is displayed in the bottom pane.

Use the buttons above the Current cepp.conf File text box, as described below:

▪	To deploy the proposed configuration file, click Update File.

▪	To check the current status of the cepp service, click Check Status.

▪

To audit the cepp.conf file checking for modifications made by another application, click Audit File. Select the Enable Auditing check box, review (and if necessary change) the polling interval, and select the Change Auditor agent to be used to poll this configuration file. Click OK to save your selections and close the dialog.

9	Click Finish to close the wizard and create the template.

10	On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page. This will ensure the agents are using the latest configuration.

11	Select the Change Auditor agents assigned to the EMC Auditing template (Auditing appears in the EMC column) and click Refresh Configuration.

To disable an auditing template:

NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.

The disable feature allows you to temporarily stop auditing the specified audit path without having to remove the auditing template or individual audit path from a template.

1	On the Auditing page, use one of the following methods to disable an auditing template:

▪	Place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled.

▪	Right-click the template to be disabled and select Disable.

The entry in the Status column for the template will change to ‘Disabled’.

2	To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.

To disable the auditing of an audit path in a template:

1	On the Auditing page, use one of the following methods to disable an audit path in an auditing template:

▪	Place your cursor in the Status cell for the audit path to be disabled, click the arrow control and select Disabled.

▪	Right-click the audit path to be disabled and select Disable.

The entry in the Status column for the selected file path will change to ‘Disabled’.

2	To re-enable the auditing of an audit path, use the Enable option in either the Status cell or right-click menu.

To delete an auditing template:

1	On the Auditing page, select the template to be deleted and click Delete | Delete Template.

2	A dialog displays confirming that you want to delete the selected template. Click Yes.

To delete an audit path from a template:

NOTE: In Auditing templates, you cannot delete the last audit path.

1	On the Auditing page, select the audit path to be deleted and click Delete | Delete File Path.

2	A dialog displays confirming that you want to delete the selected file path from the template. Click Yes.

To delete a Change Auditor agent from a template:

NOTE: In Auditing templates, you cannot delete the last agent.

1	On the Auditing page, select the agent to be deleted and click Delete | Delete Agent.

▪	Right-click the agent to be deleted and select Delete.

2	A dialog will be displayed confirming that you want to delete the selected agent from the template. Click Yes.

EMC Auditing wizard

EMC Auditing wizard

The EMC Auditing wizard displays when you click Add on the EMC Auditing page. This wizard steps you through the process of creating a new EMC auditing template, specifying the EMC file server (CIFS) to be audited, the auditing scope and the agents to receive events.

The following table provides a description of the fields and controls in the EMC Auditing wizard:

 

NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered. A green check mark indicates that the required information has been specified and you are ready to proceed.

 

Table 1. EMC Auditing wizard

Create or modify an EMC Auditing Template page: On the first page of the wizard, specify the EMC file server (CIFS) to auditand define the auditing scope.
EMC File Server (CIFS)	Select the EMC file server (CIFS) from the list or enter the name of the EMC file server to audit. NOTE: The drop-down list contains the CIFS servers published in Active Directory. NOTE: Isilon servers are not listed in the drop-down list but can be entered manually.
Audit Path	Select one of the following options to define auditing for a file, folder or volume: • File - select this option to audit a single file. Then enter a file name and path (<ShareName>\<Path>\<FileName>) or click the browse button to locate and select the file to be audited. • Folder - select this option to audit a folder or a set of files. Then enter a folder name and path (<ShareName>\<FolderName>) or click the browse button to locate and select the folder to be audited. NOTE: Isilon file server auditing: When specifying a file path to be audited, you should use the file’s absolute path. Path values in Isilon events captured by Change Auditor are also represented in absolute paths. For example, if a share called ‘MyTestShare’ is sharing the path ‘\\isilon\ifs\test’, and you want to audit the file MyDoc.docx inside that share, add the path ‘ifs\test\MyDoc.docx’ in the auditing template. NOTE: Change Auditor uses the default ‘ifs’ share for Isilon file/folder permission change events. If you have renamed this share, please specify the new share name on this page to continue support for these events. To change the default ifs share name, click the "Isilion admin share name" link on the top right corner of the page. • Volume - select this option to audit a single volume. Then enter the volume name (<VolumeName>) or click the browse button to locate and select the volume to be audited. NOTE: Volume names are case sensitive and must be entered correctly in the Audit Path field. • All Volumes - select this option to audit all volumes. The Audit Path text box will contain an asterisk which cannot be changed. NOTE: Isilon file server auditing: Volume auditing is not supported and should not be used. Once you have entered the audit path to be audited, use the Add button to add it to the selection list.
	Click the browse button to locate and select the file, folder or volume to be audited. If you select an invalid file, folder or volume a red flashing icon appears explaining that your selection is invalid. NOTE: This button is not available when All Volumes is selected as the audit path.
Add	Use the Add button to move the entry in the Audit Path text box to the selection list. NOTE: Even though you cannot edit the Audit Path when the All Volumes option is selected, you must still click Add to move it to the selection list.
Remove	Select an entry in the selection list and click Remove to remove it from the list.
Selection list	The list box, located across the middle of this page, displays the files, folders or volumes selected for auditing. When a Folder is selected, you can use the drop-down menu in the Scope field to change the scope of coverage for the folder. • This object only - select this option to audit only the selected folder, not its files or subfolders. • This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive. • This object and all child objects - select this option to audit this folder and all of its files and subfolders. (Default) Select an entry in this list to enable the corresponding Events, Inclusions and Exclusions tabs at the bottom of the page.
Events tab: Use the Events tab to select vital file and/or folder events. NOTE: The process for capturing ACL events is extremely slow. See Performance Considerations for more details on the process used to capture ACL events.
File Events	Select the file events to audit. Select the File Events check box to select all of the file events listed or select individual events from the list.
Folder Events	Select the folder events to audit. Select the Folder Events check box to select all of the folder events listed or select individual events from the list.
Inclusions tab: When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Inclusions tab will be displayed allowing you to specify what in the selected audit path is to be audited.
Add the names of subfolders and files to audit	Enter a file mask to specify what in the audit path is to be audited. The file mask can contain any combination of the following: • Fixed characters such as letters, numbers and other characters that are allowed in file names. • Asterisk (*) wildcard character to substitute zero or more characters. • Question mark (?) wildcard character to substitute a single character. • A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path). Note: The slash (\) and double asterisk (**) characters can only be used with volumes. For example, entering * will include all folders and files in the selected audit path. See File/Folder Inclusion and Exclusion Examples for more file mask examples. You can also enter the name of an individual subfolder or file that is to be included. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will NOT receive events for operations performed against any child objects under the specified subfolder. Once you have specified the subfolders or files to be included, click Add to add it to the Inclusions list.
Inclusions list	The list across the bottom of this page contains the subfolders and files selected for auditing. Use the buttons to the right of the text box to add and remove entries.
Add	Use Add to move the entry in the text box to the Inclusions list.
Remove	Select an entry in the Inclusions list and click Remove to remove it.
Exclusions Tab (Optional): When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Exclusions tab will be displayed allowing you to refine the settings defined on the Inclusions tab. That is, you can optionally specify the names and paths of any subfolders and files in the selected audit path that are to be excluded from auditing.
NOTE: To reduce the number of events generated by document File | Save operations in Microsoft Word, Excel, Visio, and PowerPoint (Microsoft Office version 2010, 2013, and 2016), Change Auditor uses event consolidation rules. Excluding temporary files will remove the ability to consolidate these events and you will lose file modified events. Consolidation rules are not supported in multiple agent auditing scenarios.
Add the names and paths of subfolders and files to exclude from auditing	Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following: • Fixed characters such as letters, numbers and other characters that are allowed in file names. • Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths). • Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters. For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders. See File/Folder Inclusion and Exclusion Examples for more examples. You can also enter the name of an individual subfolder or file that is to be excluded from auditing. IMPORTANT: If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will not exclude it from auditing. Once you have selected a subfolder or file to be excluded, select the appropriate Add button to add it to the Exclusions list.
Exclusions list	The list across the bottom of this page contains the folders, files and masks that are to be excluded from auditing. Use the buttons to the right of the text box to add and remove entries.
Add	Use one of the following Add commands to move the entry in the text box to the Exclusions list: • Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string. • Add | File - use this option to exclude activity against any files that match the exclusion string.
Remove	Select an entry in the Exclusions list and click the Remove button to remove it.
Select Change Auditor agents page: Use this page to select the agents that are to receive the events captured on the selected EMC file server (CIFS). NOTE: You may improve performance by assigning an EMC Auditing template to more than one Change Auditor Agent. When multiple agents are assigned to the same EMC Auditing template, events will be load balanced between these agents. However, the downside is that the ‘where’ field for EMC events may contain any one of the agents being monitored by this single auditing template. In addition, if EMC event logging is enabled in Change Auditor, events will be written on multiple agent servers.
Add	Click Add to assign one or more agents to the EMC Auditing template. Selecting this button displays the Eligible Change Auditor Agents dialog. From this dialog, select one or more agents and then click OK.
Remove	Click Remove to remove the selected agent from the list.
Set Credentials	Click the Set Credentials button to enter the credentials to be used to access the selected EMC Control Station: • Control Station - enter the IP address of the EMC Control Station. • User - enter the user name of an account with Administrative rights (rights to create or modify the cepp.conf file) on the selected EMC Control Station. • Password - enter the password associated with the user name entered above. • Data Mover - select the data mover that hosts the EMC file server (CIFS) specified on the first page of the wizard. Click the Test button to validate the credentials entered. Once the credentials are validated, click OK to set the credentials as entered and close the dialog. NOTE: There is no need to enter the EMC Control Station credentials when configuring auditing on an Isilon server.
Change Auditor Agent list	The list across the bottom of the page lists the Change Auditor agents selected to capture events from the selected EMC file server (CIFS).
CEPP.CONF file page: If you have changed or added agents to your template, use this page to review the changes you are proposing to make to the cepp.conf file. This page displays the current and proposed cepp.conf files. In addition to viewing the current and proposed cepp.conf files, you can optionally make changes to the proposed cepp.conf file or deploy the proposed cepp.conf file on the selected EMC Control Station. NOTE: Isilon file server auditing: This information is not required; click Finish to create the EMC Auditing template.
Update File	Click Update File to deploy the proposed configuration file on the EMC Control Station.
Check Status	Click Check Status to run the following command to check the status of the cepp service: server_cepp <Data Mover Name> -pool -info NOTE: The information provided in the status check window can be used for troubleshooting. For example, a red Connection Disconnected entry could indicate one of the following scenarios: • CAVA service is not connected • Change Auditor agent is offline • Shared EMC Connector service is not running
Audit File	Click the Audit File button to enable or disable the auditing of the cepp.conf file for changes made by other third-party applications. NOTE: When this configuration file is being audited, an event is generated whenever another application modifies the configuration file. Modifications made to this configuration file by another application may prevent Change Auditor from capturing EMC events. Clicking this button displays the Configure cepp.conf Auditing dialog. To enable the auditing of this file, select the Enable Auditing check box and select a Change Auditor agent that is to poll for changes. Click OK to save your selections and close the dialog.
Current cepp.conf File	Displays the contents of the current cepp.conf file on the selected EMC Control Station.
Proposed cepp.conf File	Displays the proposed content of the cepp.conf file based on the selections made in the EMC Auditing wizard. NOTE: You can manually edit the contents of the proposed cepp.conf file from this page.

File System events settings

File System events settings

From the Agent Configuration page on the Administration Tasks tab you can view and/or modify the File System settings for handling duplicate events.

Use the File System tab at the top of the Configuration Setup dialog to define how to process duplicate file system events.

Discard duplicates that occur within nn seconds

This option is selected by default and will discard file system events that occur within 10 seconds of each other. You can enter a value between 1 and 600 (or use the arrow controls) to increase or decrease this interval.

Audit all configured, including duplicates (Not Recommended)

Select this option to audit all configured file system events including duplicate events. This is NOT recommended and therefore is disabled by default.

To set the File System events settings:

1	Open the Administration Tasks tab.

2	Click Configuration.

3	Select Agent to display the Agent Configuration page.

4	Click Configurations.

5	On the Configuration Setup dialog, select an agent configuration from the left pane (i.e., the configuration that is being used by the Change Auditor agents assigned to receive EMC® events).

6	Open the File System tab and modify the settings to define how to process duplicate file system events as defined above.

7	Once you have set these settings, click OK to save your selections, close the dialog and return to the Agent Configuration page.

8	On the Agent Configuration page, select the Change Auditor agent(s) assigned to the EMC Auditing template (Auditing appears in the EMC column) and click Refresh Configuration.

EMC event logging

EMC event logging

NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.

In addition to real-time event auditing, you can enable event logging to capture EMC events locally in a Windows event log. This event log can then be collected using InTrust to satisfy long-term storage requirements.

Event logging is disabled by default. When enabled, only configured activities are sent to the EMC event log. See the Change Auditor for EMC Event Reference Guide for a list of the events that can be sent to the event log.

To enable event logging:

1	Open the Administration Tasks tab.

2	Click Configuration.

3	Select Agent in the Configuration task list to display the Agent Configuration page.

4	Click Event Logging.

5	On the Event Logging dialog, select EMC Events.

6	Click OK to save your selection and close the dialog.

The EMC events configured in the EMC Auditing template will then be sent to the ChangeAuditor for EMC event log.